Verifying the five Master Keys

When using chroot on both an unsquashed fs image and a LiveCD rescue environment, the "pacman-key --populate archlinux" command would not work without manually installing the archlinux-keyring package. That package could not be installed without disabling signature checking in pacman.conf. A real "gotcha" for a newbie.

I didn't want to pollute more "stable" pages with what I got from the board discussion until people had a chance to make sure I wasn't entirely off-base. I agree it can be merged, as long as some of the "higher-level" (why?) discussion doesn't completely get mixed up with the command-level discussion. Jernst (talk) 17:02, 1 September 2014 (UTC)

We may also take the chance to use a better title, like pacman web of trust, Arch web of trust, Arch Linux web of trust... (share more ideas if you have some): "pacman-key" doesn't represent well the intended scope of the article, while "PacmanWoT" is a compressed/abbreviated form which is not appropriate at all on the wiki; we may also discuss the capitalization of "web of trust", which is found also as "Web of Trust" (and with the "WOT" and "WoT" acronyms).

FAQ

Couldn't the initial WoT be pre-generated as part of some package, so the pacman-key commands (which include the relatively expensive generation of a gpg key pair) won't have to be executed when the system boots?

No. To pre-generate them, all Arch installations would have to end up with the same gpg key pair. That would enable malicious Arch user Alice (who has access to the same private key as victim Bob does) to sign a malicious package that Bob's pacman would accept because the Bob necessarily must trust his root key pair. (See also discussion on this post.)

Why do we need a root key pair at all? Can't Arch just simply install the public keys of the maintainers in some directory?

Actually, Arch does have the public keys of the maintainers in a gpg keyring in /usr/share/pacman/keyrings (part of package archlinux-keyring). If pacman uses gpg's Web of Trust mechanism, that means those public keys must be signed; otherwise some other WoT implementation would have to be used.

FAQ (continued)

Is it good practice to store the gpg keyfiles of unofficial repos in /usr/share/pacman/keyrings together with the archlinux keyfiles (or is there a risk associated) ? -- Kewl (talk) 21:29, 17 December 2017 (UTC)